From raeburn at MIT.EDU Tue Mar 18 14:28:25 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 18 Mar 2008 14:28:25 -0400 (EDT) Subject: MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc Message-ID: <200803181828.m2IISPpX018976@dcl.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2008-002 MIT krb5 Security Advisory 2008-002 Original release: 2008-03-18 Last update: 2008-03-18 Topic: array overrun in RPC library used by kadmind CVE-2008-0947, CVE-2008-0948 VU#374121 Use of high-numbered file descriptors in the RPC library, used by kadmind, can cause references past the end of an array. CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:T/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official fix Report Confidence: Confirmed SUMMARY ======= Two bugs in the RPC library server code, used in the kadmin server, causes an array overrun if too many file descriptors are opened. Memory corruption can result. IMPACT ====== An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. CVE-2008-0947: In 1.4 and later, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. CVE-2008-0948: In versions before 1.3, this bug can be triggered in similar circumstances, but is further limited to platforms not defining certain macros in certain C system header files. Solaris 10 and Mac OS X 10.4 appear to be unaffected, while GNU libc systems (e.g., many GNU/Linux distributions) are. It appears that in at least some cases kadmind will simply exit after getting a "bad file descriptor" error, but this cannot be guaranteed. AFFECTED SOFTWARE ================= CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3 CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most other versions before 1.3, on systems where does not define FD_SETSIZE. FIXES ===== * Workaround: Check the system header files for the value of FD_SETSIZE. Use "ulimit -n" or "limit descriptors" in the shell invoking kadmind to limit the number of open file descriptors to FD_SETSIZE or less, before starting kadmind. Then the operating system will prevent the use of file descriptors large enough to exploit this bug. * Apply the following patch for krb5-1.4 and later: === src/lib/rpc/svc.c ================================================================== - --- src/lib/rpc/svc.c (revision 1666) +++ src/lib/rpc/svc.c (local) @@ -109,15 +109,17 @@ if (sock < FD_SETSIZE) { xports[sock] = xprt; FD_SET(sock, &svc_fdset); + if (sock > svc_maxfd) + svc_maxfd = sock; } #else if (sock < NOFILE) { xports[sock] = xprt; svc_fds |= (1 << sock); + if (sock > svc_maxfd) + svc_maxfd = sock; } #endif /* def FD_SETSIZE */ - - if (sock > svc_maxfd) - - svc_maxfd = sock; } /* === src/lib/rpc/svc_tcp.c ================================================================== - --- src/lib/rpc/svc_tcp.c (revision 1666) +++ src/lib/rpc/svc_tcp.c (local) @@ -54,6 +54,14 @@ extern errno; */ +#ifndef FD_SETSIZE +#ifdef NBBY +#define NOFILE (sizeof(int) * NBBY) +#else +#define NOFILE (sizeof(int) * 8) +#endif +#endif + /* * Ops vector for TCP/IP based rpc service handle */ @@ -215,6 +223,19 @@ register SVCXPRT *xprt; register struct tcp_conn *cd; +#ifdef FD_SETSIZE + if (fd >= FD_SETSIZE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#else + if (fd >= NOFILE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#endif xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); if (xprt == (SVCXPRT *)NULL) { (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); @@ -271,6 +292,10 @@ * make a new transporter (re-uses xprt) */ xprt = makefd_xprt(sock, r->sendsize, r->recvsize); + if (xprt == NULL) { + close(sock); + return (FALSE); + } xprt->xp_raddr = addr; xprt->xp_addrlen = len; xprt->xp_laddr = laddr; This patch will result in too-high-numbered file descriptors being immediately closed after the connection comes in. Clients will see connections established, and then closed; a "GSS-API (or Kerberos) error while initializing kadmin interface" will eventually result. Once some of the lower-numbered file descriptors are closed, clients will be able to get useful connections again. * Apply the following patch for krb5-1.2.2 and probably other pre-1.3 versions: Index: src/lib/rpc/rpc_dtablesize.c =================================================================== - --- src/lib/rpc/rpc_dtablesize.c (revision 20237) +++ src/lib/rpc/rpc_dtablesize.c (working copy) @@ -32,6 +32,7 @@ #endif #include +#include /* * Cache the result of getdtablesize(), so we don't have to do an * The next release from MIT (1.6.4) will include a fix. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2008-0947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 CVE: CVE-2008-0948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 CERT: VU#374121 http://www.kb.cert.org/vuls/id/374121 ACKNOWLEDGMENTS =============== Thanks to Jeff Altman of Secure Endpoints for discovering and reporting this problem in 1.6.3. Thanks to the Red Hat Security Response Team for noting that 1.2.2 was also affected by the same problem, for different reasons. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 1024D/2915318C 2008-01-18 [expires: 2009-02-01] uid MIT Kerberos Team Security Contact sub 2048g/3A91A276 2008-01-18 [expires: 2009-02-01] DETAILS ======= The variable svc_maxfd tracks the highest-numbered file descriptor registered with the RPC library as a transport handle. While the registration function does check that the file descriptor number is less than FD_SETSIZE for array references, the code for updating svc_maxfd is not so protected. Elsewhere, svc_maxfd is used as an upper bound for array indexing, and as the maximum file descriptor number to pass to select(). In 1.2.2, the variable is called max_xport, and is checked against the value returned by _gssrpc_rpc_dtablesize(), but while that function checks FD_SETSIZE if it's defined, the source file containing it only includes unistd.h, which doesn't define FD_SETSIZE on all platforms. In kadmind, the value from _gssrpc_rpc_dtablesize() is also passed to select() as the maximum file descriptor number. REVISION HISTORY ================ 2008-03-18 original release Copyright (C) 2008 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFH3/21UqOaDMQ+e5gRAj38AJ97qJdFUkcnvPwI19DMKTnDsuXYMgCeMmdw ZbfG/YXurbX8hTe4+cJiZBM= =1O1O -----END PGP SIGNATURE----- From raeburn at MIT.EDU Tue Mar 18 14:28:42 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 18 Mar 2008 14:28:42 -0400 (EDT) Subject: MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc Message-ID: <200803181828.m2IISgm6018984@dcl.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2008-001 MIT krb5 Security Advisory 2008-001 Original release: 2008-03-18 Last update: 2008-03-18 Topic: double-free, uninitialized data vulnerabilities in krb5kdc CVE-2008-0062 VU#895609 Use of a null or dangling pointer in the MIT Kerberos KDC can result in a crash or double-free, and may leak portions of process memory to an attacker. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C/E:P/RL:O/RC:C CVSSv2 Base Score: 9.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 6.5 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2008-0063 VU#895609 Uninitialized stack values cause re-use of a small window of previous stack values to be interpreted as message content. Some of the "content" may be returned to the attacker as part of an error response. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C CVSSv2 Base Score: 4.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None CVSSv2 Temporal Score: 3.4 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= When Kerberos 4 support is enabled in the MIT Kerberos 5 KDC, malformed messages may trigger two bugs: CVE-2008-0062: A global variable holding a pointer to the message to be sent back to the client is only set for two recognized krb4 message types, but may be used (and freed) in additional cases, resulting in use of a null or dangling pointer. CVE-2008-0063: The incoming krb4 message is copied into a fixed-size buffer on the stack, but the remainder of the buffer is left untouched, and the bounds checks use the size of the buffer, not the size of the data copied into it. By default, Kerberos 4 support is compiled in but not enabled in recent versions, and these bugs are not exposed unless Kerberos 4 support is enabled. These are implementation bugs, not protocol defects. IMPACT ====== CVE-2008-0062: An unauthenticated remote attacker may cause a krb4-enabled KDC to crash, expose information, or execute arbitrary code. Successful exploitation of this vulnerability could compromise the Kerberos key database and host security on the KDC host. CVE-2008-0063: An unauthenticated remote attacker may cause a krb4-enabled KDC to expose information. It is theoretically possible for the exposed information to include secret key data on some platforms. AFFECTED SOFTWARE ================= MIT Kerberos 5 version 1.6.3 KDC, and probably all earlier versions, when krb4 support is compiled in and enabled. (The krb4 support is disabled by default in recent releases.) No client or application server programs are affected. FIXES ===== * Apply the patch available at: http://web.mit.edu/kerberos/advisories/2008-001-patch.txt or in PGP-signed form at: http://web.mit.edu/kerberos/advisories/2008-001-patch.txt.asc * These bugs will be fixed in the next release. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2008-0062 CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 CERT: VU#895609 http://www.kb.cert.org/vuls/id/895609 CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 1024D/2915318C 2008-01-18 [expires: 2009-02-01] uid MIT Kerberos Team Security Contact sub 2048g/3A91A276 2008-01-18 [expires: 2009-02-01] DETAILS ======= CVE-2008-0062: If a bogus Kerberos 4 message (i.e., a message with the first byte having the value 4, but the second byte not describing one of the message types supported by the KDC) is received by the KDC, and there has been no previous Kerberos 4 traffic, a null pointer dereference will result, likely crashing the KDC. If there has been valid Kerberos 4 traffic already, a dangling pointer will be used to locate the message to send to the client; it may resend a previously generated response, send some other arbitrary chunk of process memory, perhaps including secret key data, or crash the process by attempting to access an invalid address. If the process doesn't crash, random addresses will be passed to free(), likely corrupting the free pool, and potentially leading to later crashes, data corruption, jumps to arbitrary locations in process memory, etc. The KDC normally runs without write access to its database, so it is not likely to corrupt the database, except insofar as arbitrary code execution could theoretically corrupt anything the process has access to on the system. CVE-2008-0063: If a Kerberos 4 message is truncated, previous contents of the stack may be used in place of the missing portions of the message. (Note that if the message type is missing, and the data read from the stack is not a recognized message type, this may indirectly trigger CVE-2008-0062 described above.) Several strings are read from the "message" as parts of principal names; these strings are limited to 40 bytes or the next ASCII NUL found in the buffer. If the KDC returns an error message indicating that a principal name is not found in its database, the principal name is included in the error message, and some of the old stack content may be there. If the previously handled message was a valid Kerberos 4 message, parts of that message may be re-used for the new message; this wouldn't expose any data that wouldn't have been visible on the local network. If the previously handled message was a Kerberos 5 message, the values overlaid by the buffer are likely to be old argument pointers, saved registers, return addresses, and so forth. However, since stack contents and layout are highly dependent on the platform and compiler, it is impossible to assert that no secret key data may be leaked into the exposed stack regions on any platform. REVISION HISTORY ================ 2008-03-18 original release Copyright (C) 2008 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFH4AC6UqOaDMQ+e5gRAt5BAKCkfIKFE6assZ+fhbf8ghT5PsS5RQCfcQAJ MmnThImfNYzxigqYCX+Fkm8= =zmzD -----END PGP SIGNATURE----- From raeburn at MIT.EDU Tue Mar 18 14:36:53 2008 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Tue, 18 Mar 2008 14:36:53 -0400 (EDT) Subject: MITKRB5-SA-2008-002: array overrun in RPC library used by kadmin (resend, corrected subject) Message-ID: <200803181836.m2IIarJf019005@dcl.mit.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2008-002 MIT krb5 Security Advisory 2008-002 Original release: 2008-03-18 Last update: 2008-03-18 Topic: array overrun in RPC library used by kadmind CVE-2008-0947, CVE-2008-0948 VU#374121 Use of high-numbered file descriptors in the RPC library, used by kadmind, can cause references past the end of an array. CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:P/RL:T/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official fix Report Confidence: Confirmed SUMMARY ======= Two bugs in the RPC library server code, used in the kadmin server, causes an array overrun if too many file descriptors are opened. Memory corruption can result. IMPACT ====== An unauthenticated remote attacker can cause memory corruption in the kadmind process, which is likely to cause kadmind to crash, resulting in a denial of service. It is at least theoretically possible for such corruption to result in database corruption or arbitrary code execution, though we have no such exploit and are not aware of any such exploits in use in the wild. CVE-2008-0947: In 1.4 and later, this bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. CVE-2008-0948: In versions before 1.3, this bug can be triggered in similar circumstances, but is further limited to platforms not defining certain macros in certain C system header files. Solaris 10 and Mac OS X 10.4 appear to be unaffected, while GNU libc systems (e.g., many GNU/Linux distributions) are. It appears that in at least some cases kadmind will simply exit after getting a "bad file descriptor" error, but this cannot be guaranteed. AFFECTED SOFTWARE ================= CVE-2008-0947: libgssrpc and kadmind, from krb5-1.4 through krb5-1.6.3 CVE-2008-0948: libgssrpc and kadmind, in krb5-1.2.2 and probably most other versions before 1.3, on systems where does not define FD_SETSIZE. FIXES ===== * Workaround: Check the system header files for the value of FD_SETSIZE. Use "ulimit -n" or "limit descriptors" in the shell invoking kadmind to limit the number of open file descriptors to FD_SETSIZE or less, before starting kadmind. Then the operating system will prevent the use of file descriptors large enough to exploit this bug. * Apply the following patch for krb5-1.4 and later: === src/lib/rpc/svc.c ================================================================== - --- src/lib/rpc/svc.c (revision 1666) +++ src/lib/rpc/svc.c (local) @@ -109,15 +109,17 @@ if (sock < FD_SETSIZE) { xports[sock] = xprt; FD_SET(sock, &svc_fdset); + if (sock > svc_maxfd) + svc_maxfd = sock; } #else if (sock < NOFILE) { xports[sock] = xprt; svc_fds |= (1 << sock); + if (sock > svc_maxfd) + svc_maxfd = sock; } #endif /* def FD_SETSIZE */ - - if (sock > svc_maxfd) - - svc_maxfd = sock; } /* === src/lib/rpc/svc_tcp.c ================================================================== - --- src/lib/rpc/svc_tcp.c (revision 1666) +++ src/lib/rpc/svc_tcp.c (local) @@ -54,6 +54,14 @@ extern errno; */ +#ifndef FD_SETSIZE +#ifdef NBBY +#define NOFILE (sizeof(int) * NBBY) +#else +#define NOFILE (sizeof(int) * 8) +#endif +#endif + /* * Ops vector for TCP/IP based rpc service handle */ @@ -215,6 +223,19 @@ register SVCXPRT *xprt; register struct tcp_conn *cd; +#ifdef FD_SETSIZE + if (fd >= FD_SETSIZE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#else + if (fd >= NOFILE) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); + xprt = NULL; + goto done; + } +#endif xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); if (xprt == (SVCXPRT *)NULL) { (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); @@ -271,6 +292,10 @@ * make a new transporter (re-uses xprt) */ xprt = makefd_xprt(sock, r->sendsize, r->recvsize); + if (xprt == NULL) { + close(sock); + return (FALSE); + } xprt->xp_raddr = addr; xprt->xp_addrlen = len; xprt->xp_laddr = laddr; This patch will result in too-high-numbered file descriptors being immediately closed after the connection comes in. Clients will see connections established, and then closed; a "GSS-API (or Kerberos) error while initializing kadmin interface" will eventually result. Once some of the lower-numbered file descriptors are closed, clients will be able to get useful connections again. * Apply the following patch for krb5-1.2.2 and probably other pre-1.3 versions: Index: src/lib/rpc/rpc_dtablesize.c =================================================================== - --- src/lib/rpc/rpc_dtablesize.c (revision 20237) +++ src/lib/rpc/rpc_dtablesize.c (working copy) @@ -32,6 +32,7 @@ #endif #include +#include /* * Cache the result of getdtablesize(), so we don't have to do an * The next release from MIT (1.6.4) will include a fix. REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: CVE-2008-0947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 CVE: CVE-2008-0948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 CERT: VU#374121 http://www.kb.cert.org/vuls/id/374121 ACKNOWLEDGMENTS =============== Thanks to Jeff Altman of Secure Endpoints for discovering and reporting this problem in 1.6.3. Thanks to the Red Hat Security Response Team for noting that 1.2.2 was also affected by the same problem, for different reasons. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 1024D/2915318C 2008-01-18 [expires: 2009-02-01] uid MIT Kerberos Team Security Contact sub 2048g/3A91A276 2008-01-18 [expires: 2009-02-01] DETAILS ======= The variable svc_maxfd tracks the highest-numbered file descriptor registered with the RPC library as a transport handle. While the registration function does check that the file descriptor number is less than FD_SETSIZE for array references, the code for updating svc_maxfd is not so protected. Elsewhere, svc_maxfd is used as an upper bound for array indexing, and as the maximum file descriptor number to pass to select(). In 1.2.2, the variable is called max_xport, and is checked against the value returned by _gssrpc_rpc_dtablesize(), but while that function checks FD_SETSIZE if it's defined, the source file containing it only includes unistd.h, which doesn't define FD_SETSIZE on all platforms. In kadmind, the value from _gssrpc_rpc_dtablesize() is also passed to select() as the maximum file descriptor number. REVISION HISTORY ================ 2008-03-18 original release Copyright (C) 2008 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFH3/21UqOaDMQ+e5gRAj38AJ97qJdFUkcnvPwI19DMKTnDsuXYMgCeMmdw ZbfG/YXurbX8hTe4+cJiZBM= =1O1O -----END PGP SIGNATURE-----